Security Blog
The latest news and insights from Google on security and safety on the Internet
Vulnerability Rewards Program: 2016 Year in Review
30 de enero de 2017
Posted by Eduardo Vela Nava, VRP Technical Lead, Master of Disaster
We created our Vulnerability Rewards Program in 2010 because researchers should be rewarded for protecting our users. Their discoveries help keep our users, and the internet at large, as safe as possible.
The amounts we award vary, but our message to researchers does not; each one represents a sincere ‘thank you’.
As we have for
2014
and
2015
, we’re again sharing a yearly wrap-up of the Vulnerability Rewards Program.
What was new?
In short — a lot. Here’s a quick rundown:
Previously by-invitation only, we opened up
Chrome's Fuzzer Program
to submissions from the public. The program allows researchers to run
fuzzers
at large scale, across thousands of cores on Google hardware, and receive reward payments automatically.
On the product side, we saw amazing contributions from Android researchers all over the world, less than a year after Android launched its VRP. We also expanded our overall VRP to include more products, including OnHub and Nest devices.
We increased our presence at events around the world, like
pwn2own
and
Pwnfest
. The vulnerabilities responsibly disclosed at these events enabled us to quickly provide fixes to the ecosystem and keep customers safe. At both events, we were able to close down a vulnerability in Chrome within days of being notified of the issue.
Stories that stood out
As always, there was no shortage of inspiring, funny, and quirky anecdotes from the 2016 year in VRP.
We met Jasminder Pal Singh at Nullcon in India. Jasminder is a long-time contributor to the VRP, but this research is a side project for him. He spends most of his time growing
Jasminder Web Services Point
, the startup he operates with six other colleagues and friends. The team consists of: two web developers, one graphic designer, a developer for Android and iOS respectively, one Linux administrator, and a Content Manager/Writer. Jasminder’s VRP rewards fund the startup. The number of reports we receive from researchers in India is growing, and we’re growing the VRP’s presence there with additional conference sponsorships, trainings, and more.
Jasminder (back right) and his team
Jon Sawyer worked with his colleague Sean Beaupre from Streamlined Mobile Solutions, and friend Ben Actis to submit three Android vulnerability reports. A resident of
Clallam County, Washington
, Jon donated their $8,000 reward to their local Special Olympics team, the Orcas. Jon told us the reward was particularly meaningful because his son, Benji, plays on the team. He said:
“Special Olympics provides a sense of community, accomplishment, and free health services at meets. They do incredible things for these people, at no cost for the athletes or their parents. Our donation is going to supply them with new properly fitting uniforms, new equipment, cover some facility rental fees (bowling alley, gym, track, swimming pool) and most importantly help cover the biggest cost, transportation.”
VRP researchers sometimes attach videos that demonstrate the bug. While making a great proof-of-concept video is a skill in itself, our researchers raised it to another level this year. Check out this video Frans Rosén sent us. It’s perfectly synchronized to the background music! We hope this trend continues in 2017 ;-)
Researchers’ individual contributions, and our relationship with the community, have never been more important. A hearty thank you to everyone that contributed to the VRP in 2016 — we’re excited to work with you (and others!) in 2017 and beyond.
*Josh Armour (
VRP Program Manager
), Andrew Whalley (
Chrome VRP
), and Quan To (
Android VRP
) contributed mightily to help lead these Google-wide efforts.
No hay comentarios :
Publicar un comentario
Etiquetas
#sharethemicincyber
#supplychain #security #opensource
android
android security
android tr
app security
big data
biometrics
blackhat
C++
chrome
chrome enterprise
chrome security
connected devices
CTF
diversity
encryption
federated learning
fuzzing
Gboard
google play
google play protect
hacking
interoperability
iot security
kubernetes
linux kernel
memory safety
Open Source
pha family highlights
pixel
privacy
private compute core
Rowhammer
rust
Security
security rewards program
sigstore
spyware
supply chain
targeted spyware
tensor
Titan M2
VDP
vulnerabilities
workshop
Archive
2024
nov
oct
sept
ago
jul
jun
may
abr
mar
feb
ene
2023
dic
nov
oct
sept
ago
jul
jun
may
abr
mar
feb
ene
2022
dic
nov
oct
sept
ago
jul
jun
may
abr
mar
feb
ene
2021
dic
nov
oct
sept
ago
jul
jun
may
abr
mar
feb
ene
2020
dic
nov
oct
sept
ago
jul
jun
may
abr
mar
feb
ene
2019
dic
nov
oct
sept
ago
jul
jun
may
abr
mar
feb
ene
2018
dic
nov
oct
sept
ago
jul
jun
may
abr
mar
feb
ene
2017
dic
nov
oct
sept
jul
jun
may
abr
mar
feb
ene
2016
dic
nov
oct
sept
ago
jul
jun
may
abr
mar
feb
ene
2015
dic
nov
oct
sept
ago
jul
jun
may
abr
mar
feb
ene
2014
dic
nov
oct
sept
ago
jul
jun
abr
mar
feb
ene
2013
dic
nov
oct
ago
jun
may
abr
mar
feb
ene
2012
dic
sept
ago
jun
may
abr
mar
feb
ene
2011
dic
nov
oct
sept
ago
jul
jun
may
abr
mar
feb
2010
nov
oct
sept
ago
jul
may
abr
mar
2009
nov
oct
ago
jul
jun
mar
2008
dic
nov
oct
ago
jul
may
feb
2007
nov
oct
sept
jul
jun
may
Feed
Follow @google
Follow
Give us feedback in our
Product Forums
.
No hay comentarios :
Publicar un comentario